Back to skill
Skillv0.1.0
ClawScan security
Ok Computer Swarm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 1:01 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it launches concurrent DuckDuckGo searches and returns JSON results, and it does not request credentials or contact unexpected endpoints.
- Guidance
- This skill appears to do exactly what it says: run multiple DuckDuckGo queries concurrently and return JSON. Before installing, verify you are comfortable running third-party Python scripts and that you have/allow the requests dependency. Note minor metadata mismatches (SKILL.md says python is required while the registry summary showed no required binaries, and README references a logo file not present) — these look like documentation/packaging oversights, not malicious behavior. If you need stronger isolation, run the script in a sandbox or virtual environment and inspect network activity; otherwise it is low-risk because it does not request credentials or contact unknown endpoints.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the code: the script performs parallel DuckDuckGo searches and aggregates results. Minor metadata inconsistencies: SKILL.md (moltbot metadata) declares a required binary (python) while the Registry 'Requirements' block shown at the top lists no required binaries; README references a logo file (3000logo.png) that is not present in the provided file list. These are bookkeeping mismatches rather than functional surprises.
- Instruction Scope
- okSKILL.md instructs the agent to run the bundled Python script which only performs HTTP requests to DuckDuckGo and prints structured JSON to stdout. The runtime instructions do not request unrelated files, credentials, or external endpoints beyond the DuckDuckGo API.
- Install Mechanism
- okNo install spec is provided (instruction-only skill). The repo includes a minimal requirements.txt (requests>=2.31.0). There are no downloads from third‑party URLs or extracted archives — low install risk.
- Credentials
- okThe skill requires no environment variables or credentials and the code does not read any secrets. The only implied runtime requirement is Python and the requests library (declared in requirements.txt / SKILL.md); this is proportional to its purpose.
- Persistence & Privilege
- okThe skill is not always-enabled (always: false), is user-invocable, and does not request persistent system changes or modify other skills. Autonomous invocation is allowed (platform default) but not combined with broad privileges here.